TPA-RFC-76: mirror tor-puppet.git to the gitlab server

in #40861 (closed), @lavamind found over a dozen branches in the repository. in #41970 (closed), we tried to clean them up. i deleted a couple of old branches but there's a solid core of patches that just Must Be Merged eventually, or at least properly discussed.

the root access review (#41962) also outlined that our lack of merge request workflow is severely impeding our capacity at accepting outside contributions as well.

note that this is different from #29387: we do not have to make the repository public for this to work, we could "just" make the repository private to TPA (and select contributors like @hiro) for this to work, initially.

the mistake to avoid is to end up trusting gitlab: we should adopt a workflow where code is not merged by gitlab, but by us: we just use merge requests to review the works, then merge and push locally.

we might be able to not need to trust gitlab when/if we setup commit signing, but this is out of scope here.

update: now a formal proposal in https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-76-puppet-merge-request-workflow

/deadline in one week